Firms fail to examine security implications of emerging technologies

The report, titled Borderless Security: Ernst & Young’s 2010 Global Information Security Survey, is based on a survey of 1600 senior executives in 56 countries and examines challenges organizations face when it comes to current trends, new technologies used by their workforce, and the difficulties of trying to protect information while operating in a virtual business environment.

The top three emerging technologies covered by the survey are mobile devices, social networking, and cloud computing. The results of the survey show that 60% of respondents perceive increased risk from the use of these technologies at work. Additionally, 64% of respondents see data protection as one of the top IT risks.

At the same time, only 10% of respondents say that examining emerging technologies is a very important information security function.

“I was surprised that only 10% of our respondents were thinking about or having dedicated teams and resources applied to emerging technologies and their impact on information security. I was expecting more there, given some of the rapid changes we are dealing with in technology”, said Jose Granado, head of the America’s practice for information security services at Ernst & Young.

According to the survey, respondents view the most serious risk associated with mobile computing as the potential loss of business information; 52% see the use of personal devices as the main cause of data leakage. In addition, 53% of respondents indicate that workforce mobility is a challenge to delivering information security solutions effectively. The majority of respondents (92%) view employee awareness of security as a challenge, as the demands of a mobile workforce change the way companies support and protect the flow of information.

“There has been a ‘consumerization’ of enterprise IT”, Granado told Infosecurity. “The line is getting very blurred between a corporate mobile device and a personal device…As we become an untethered workforce, business has no other option than to support a multitude of mobile devices to enable productivity. I know many companies that are willing to support any device you bring into the organization through a variety of different security mechanisms for you to get your work done”, he said.

“Organizations are starting to grapple with how do you support from a security perspective and maintain some semblance of standardization when you are supporting a multitude of devices….With a mobile device, you have a logical threat from intrusion and a threat of having a physical event, in which the devices is lost or stolen…This is another element of the security challenge of mobile devices”, he said.

The Ernst & Young study suggests that few organizations have fully assessed the risks associated with social networking. Just one-third report that social media presents a considerable information security challenge.

Granado stressed that blocking social networking is much less of an option because social networking tools are becoming essential for many industries. For example, the retail industry relies on social networking to get feedback from consumers and head off negative views of products being spread around the internet.

“Security awareness is the most important element of social networking security….This means aggressive, reinforced security awareness. This can be done through a variety of mechanisms: media, video, speakers, contests, and email reminders. The key is it needs to be frequent, effective, and enforceable. Your policy needs to be tied into your security awareness program…The answer is how to enable social networking while trying to reduce security risks as much as possible”, Granado added.

Despite an unproven track record, 45% of organizations are currently using, evaluating, or planning to use cloud computing services within the next 12 months. The risks associated with cloud computing include data leakage, with 52% identifying it as the largest associated risk, followed by 39% who cite the lost visibility of company data as an increased risk of cloud-based solutions. However, most respondents (85%) indicate that external certification of cloud service providers would help to evaluate security controls and increase trust.

“From a security perspective, it almost seems counterintuitive to outsource everything to the cloud”, Granado said. “Security is about control and risk evaluation and management….It causes concern because of a lack of control and visibility. Part of the issue is transparency. A lot of the cloud providers are trying to be transparent with their security measures. It is a risk tolerance issue. How much are you going to trust someone else to handle your data? Are you satisfied that the cloud provider is being transparent? We don’t have a lot of agreed upon security standards for cloud computing”, he said.

Granado concluded: “We have to take a step back and look at social networking, cloud computing, and mobile devices and allocate time, resources, thought, and innovation to what these technologies are going to be doing in the enterprise and how we need to factor that into our security strategies.”

What’s Hot on Infosecurity Magazine?